Campus Network Home Lab
Last I upgrade my home lab and decide to implement a simple topology for the campus network. To practice more with switching I decided to buy one more Cisco 3750. These switches support stack technology which I will be implemented in the following more complex topologies.
I will start with physical device connection and initial configuration (hostname command in global configuration mode and password in vty and console lines on switches and routers too). The physical connection and device names are shown in the diagram below.
After connecting all devices, my physical lab looks like this:
On both core and access layer switches, I will shut down unused interfaces. That is important to do that from a security point of view. That is a good practice in the real world.
And on access layer switches too.
For security reasons (as good practice in the real world) I will turn off VTP mode by vtp mode off in global configuration mode (on older devices such as 2950 in my case — vtp mode transparent ). After I do this I need to add some VLANs and configure access and trunk ports on Core switches.
conf t
int range fa1/0/1–3
switchport trunk encapsulation dot1q
switchport mode trunk
exit
int range fa1/0/23–24
switchport trunk encapsulation dot1q
switchport mode trunk
exit
And access port on Core-1 switch for server-side and Core-2 to router facing:
Core-1#conf t
Core-1(config)#int fa1/0/20
Core-1(config-if)#switchport mode access
Core-1(config-if)#switchport access vlan 100Core-2#conf t
Core-2(config)#int fa1/0/22
Core-2(config-if)#switchport mode access
Core-2(config-if)#switchport access vlan 1
Pretty the same configuration must be applied on access layer switches (on old switches only 802.1Q encapsulation is available):
conf t
int range fa0/23–24
switchport mode trunkconf
int fa0/1
switchport mode access
switchport access vlan X
*Switch-1 has VLAN 10, Switch-2 — VLAN 20, Switch-3 — VLAN 30 access ports on fa0/1.
The next problem is spanning-tree optimization.
Core-1#sh spanning-tree
<output omitted>
Fa1/0/1 Altn BLK 19 128.3 P2p
Fa1/0/2 Desg FWD 19 128.4 P2p
Fa1/0/3 Altn BLK 19 128.5 P2p
Fa1/0/23 Root FWD 19 128.25 P2p
Fa1/0/24 Altn BLK 19 128.26 P2pVLAN0010
<output omitted>
Fa1/0/1 Altn BLK 19 128.3 P2p
Fa1/0/2 Desg FWD 19 128.4 P2p
Fa1/0/3 Altn BLK 19 128.5 P2p
Fa1/0/23 Root FWD 19 128.25 P2p
Fa1/0/24 Altn BLK 19 128.26 P2pVLAN0020
<output omitted>
Fa1/0/1 Altn BLK 19 128.3 P2p
Fa1/0/2 Desg FWD 19 128.4 P2p
Fa1/0/3 Altn BLK 19 128.5 P2p
Fa1/0/23 Root FWD 19 128.25 P2p
Fa1/0/24 Altn BLK 19 128.26 P2pVLAN0030
<output omitted>
Fa1/0/1 Altn BLK 19 128.3 P2p
Fa1/0/2 Desg FWD 19 128.4 P2p
Fa1/0/3 Altn BLK 19 128.5 P2p
Fa1/0/23 Root FWD 19 128.25 P2p
Fa1/0/24 Altn BLK 19 128.26 P2pVLAN0100
<output omitted>
Fa1/0/1 Altn BLK 19 128.3 P2p
Fa1/0/2 Desg FWD 19 128.4 P2p
Fa1/0/3 Altn BLK 19 128.5 P2p
Fa1/0/20 Desg FWD 19 128.22 P2p
Fa1/0/23 Root FWD 19 128.25 P2p
Fa1/0/24 Altn BLK 19 128.26 P2p2960-S-2#sh spanning-tree
<output omitted>
VLAN0020
<output omitted>
Fa0/1 Desg FWD 19 128.1 P2p
Fa0/23 Altn BLK 19 128.23 P2p
Fa0/24 Root FWD 19 128.24 P2p
*On Core-2 switch and other access layer switches, all ports have in FWD (forwarding) state.
Based on the topology design and output above of show spanning-tree command the following problem occurs:
the redundant connection is blocked by the spanning tree, and this should be optimized. Using output information above there is an issue with traffic across fa0/23 link if multiple devices will send large files.
Access switches have multiple VLANs and it is possible to improve the performance by sending some traffic using a specific uplink.
Spanning-tree optimizing
For example, Core-1 will be root for odd VLANs and Core-2 — root for even VLANs. Let’s assume that odd VLANs — 1, 10, 30, and even VLANs are 20 and 100. It is good practice to have core switches being as root switches and backup routes for other VLANs. In the global configuration mode for Core-1 and Core-2 switches I will provide few commands:
Core-1(config)#spanning-tree vlan 1,10,30 priority 0
Core-1(config)#spanning-tree vlan 20,100 priority 4096
The Core-2 switch will be as a backup for 1, 10, and 30 VLANs and root for 20 and 100 VLANs so the configuration will be next:
Core-2(config)#spanning-tree vlan 20,100 priority 0
Core-2(config)#spanning-tree vlan 1,10,30 priority 4096
This configuration optimized the spanning tree by making Core-1 switch root for some VLANs and Core-2 for other VLANs.
There is a problem however because the links between the two switches are still blocking. These two links must be joined in an ether channel to get better throughput.
EtherChannel
A Core-1 switch is a root for VLAN 1, 10, 30 and Core-2 — VLAN 20, 100. For example, if traffic from VLAN 10 is sent to the Internet that traffic is gonna traverse the Fa1/0/23 link because port 24 is blocking.
And if traffic is from VLAN 20 to the local server that traffic is gonna go to Core-2 switch and then go across Fa1/0/23.
The main problem is as follows: there are can be many devices at the access layer sending traffic to local servers or the Internet and only one port will be used — Fa1/0/23. Port Fa1/0/24 is not used to sending traffic from the Core-1 switch to Core-2.
To resolve that problem there two links must be aggregated together in EtherChannel. It is the best practice to shut down the interfaces, configure the port-channel and enable them. Configuration for Core-1 and Core-2 switches will be next:
int range fa1/0/23–24
shutdown
switchport mode trunk
channel-group 1 mode active
After this configuration, no shutdown needs to be initialized on both core layer switches.
All VLANs on both sides of core switches are forwarding on all ports. Blocking ports should be on the access layer switches. For example, on 2950-Switch-1 one of two ports will be blocking and the reason why is Core-1 the root switch for VLANs 1,10, 30, and Core-2 is the backup because Core-2 switch is the root for VLANs 20 and 100.
All core switches should support L3 Inter-VLAN routing. IP addresses must be assigned for particular VLANs as following:
Core-1 switch:
VLAN 1 = 10.1.1.251/24
VLAN 10 = 10.1.10.251/24
VLAN 20 = 10.1.20.251/24
VLAN 30 = 10.1.30.251/24
VLAN 100 = 10.1.100.251/24
Core-2 switch:
VLAN 1 = 10.1.1.252/24
VLAN 10 = 10.1.10.252/24
VLAN 20 = 10.1.20.252/24
VLAN 30 = 10.1.30.252/24
VLAN 100 = 10.1.100.252/24
int vlan x
ip address x.x.x.x x.x.x.x
no shutdown
To enable Inter-VLAN routing - ip routing command must be executed.
Access layer switches will only have management IP addresses in VLAN 1:
Switch-1 = 10.1.1.1/24
Switch-2 = 10.1.1.2/24
Switch-3 = 10.1.1.3/24
Default-gateway
The next issue is the default gateway. What path PCs must use as a default gateway? For example, the router acting as PC1 is in VLAN10 needs to have a default gateway. So which switch will become its default gateway — Core-1 (10.1.10.251) or Core-2 (10.1.10.252)? PC may use the default gateway of Core-1 because this switch is spanning-tree root.
The problem happens when the Core-1 switch goes down. The PC won’t be able to reach the default gateway. PC won’t be able to send traffic off VLAN10 and access the Internet or other devices in separate VLANs. To solve this problem I will use HSRP, configuration will be next:
It creates a “virtual router” for a separate VLAN
10.1.1.254
10.1.10.254
10.1.20.254
10.1.30.254
10.1.100.254
Core-1(config)#int vlan 1
Core-1(config-if)#standby 1 ip 10.1.1.254
Core-1(config-if)#standby 1 priority 200
Core-1(config-if)#standby 1 preempt
Core-1(config-if)#exitCore-1(config)#int vlan 10
Core-1(config-if)#standby 1 ip 10.1.10.254
Core-1(config-if)#standby 1 priority 200
Core-1(config-if)#standby 1 preempt
Core-1(config-if)#exit
Core-1(config)#int vlan 30
Core-1(config-if)#standby 1 ip 10.1.30.254
Core-1(config-if)#standby 1 priority 200
Core-1(config-if)#standby 1 preempt
Core-1(config-if)#exitCore-1(config)#int vlan 20
Core-1(config-if)#standby 1 ip 10.1.20.254
Core-1(config-if)#exitCore-1(config)#int vlan 100
Core-1(config-if)#standby 1 ip 10.1.100.254
Core-1(config-if)#exit
Then Core-2 switch HSRP configuration:
Core-2(config)#int vlan 20
Core-2(config-if)#standby 1 ip 10.1.20.254
Core-2(config-if)#standby 1 priority 200
Core-2(config-if)#standby 1 preempt
Core-2(config-if)#exitCore-2(config)#int vlan 100
Core-2(config-if)#standby 1 ip 10.1.100.254
Core-2(config-if)#standby 1 priority 200
Core-2(config-if)#standby 1 preempt
Core-2(config-if)#exitCore-2(config)#int vlan 1
Core-2(config-if)#standby 1 ip 10.1.1.254
Core-2(config-if)#exitCore-2(config)#int vlan 10
Core-2(config-if)#standby 1 ip 10.1.10.254
Core-2(config-if)#exit
Core-2(config)#int vlan 30
Core-2(config-if)#standby 1 ip 10.1.30.254
Core-2(config-if)#exit
EIGRP
On both core layer switches, I will use the EIGRP routing protocol and include the 10.0.0.0 network.
router eigrp 100
network 10.0.0.0
no auto-summary
Router (R0) must be configured with EIGRP too. On the inside, it will be a private address and outside in the real world it should be public, but in my lab environment, I connected R0 to an ISP home router, so the IP address outside the R0 router will be private too. On this interface, I can use DHCP as a static IP address configuration, for example, 192.168.0.10/24.
R0(config)#router eigrp 100
R0(config-router)#net 10.1.1.253 0.0.0.0
R0(config-router)#no auto-summary
R0(config-router)#exit
R0(config)#router eigrp 100
R0(config-router)#network 192.168.0.0 0.0.255.255
R0(config-router)#no auto-summary
Then I will configure a static default route on this router to point my Internet-facing ISP router at home:
R0(config)#ip route 0.0.0.0 0.0.0.0 192.168.0.1
Next, I will configure redistribute static route that allows to take a route from one routing protocol and advertise it in another.
R0(config-router)#redistribute static metric 10000 100 255 1 1500
So in R0, there is a static default route pointing to my home ISP Internet router, that’s being redistributed into the EIGRP and being advertised to Core-2 and Core-1.
Port Address Translation
R0(config)#int fa0/1
R0(config-if)#ip nat outside
R0(config-if)#int fa0/0
R0(config-if)#ip nat inside
R0(config-if)#exit
R0(config)#ip nat inside source list 1 interface fastEthernet 0/1 overload
R0(config)#access-list 1 permit 10.0.0.0 0.255.255.255
I will add some optional configurations to test connectivity:
R0(config)#ip name
R0(config)#ip name-server 8.8.8.8
Testing connection
Pinging from PC1 and PC2. On the R0 router debug ip nat is enabled.
For another test, I will use the Ubuntu station with IP address: 10.1.100.100 which is in VLAN 100. The connectivity test is successful.
But when VLAN 20 interface stops working on the Core-2 switch (it is the spanning-tree root switch for VLAN 20 and 100). The role of a root switch for VLAN 20 will take Core-1. So traffic not be routed on the Core-2 switch (from VLAN 100 to VLAN 20 as root switch) but sent to Core-1 as shown below on the second command.
And when the Core-2 switch is damaged and not working, the Core-1 switch will root for VLANs 20 and 100 as shown below (3rd command). Inter-Vlan traffic will go through the Core-1 switch as root for all VLANs.
So the same picture is for pinging 10.1.30.30. As device Core-2 was crashed, traffic goes through the Core-1 switch (10.1.100.251) as a backup for VLANs 20 and 100. But when the Core-2 switch (10.1.100.252) turns back — it comes root.
The Core-2 switch acts as a root for VLANs 20 and 100. As Ubuntu pinging from VLAN 100 (10.1.100.100) so that traffic flows to Core-2 switch as root and then by using Inter-Vlan routing flows to VLAN 30. But when the Core-2 switch is powered off the role of spanning-tree root for VLANs 20 and 100 takes Core-1 switch and traffic flows to this switch and then goes to another VLAN by using Inter-Vlan routing.
